Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.19 / 5369a762c882c0b6e9599e4ebbb3a9ba9eee7e2d^! / . / fs / ext4 / xattr.c
commit5369a762c882c0b6e9599e4ebbb3a9ba9eee7e2d[log] [tgz]
authorTheodore Ts'o <tytso@mit.edu>Wed Jun 13 00:23:11 2018 -0400
committerTheodore Ts'o <tytso@mit.edu>Wed Jun 13 00:23:11 2018 -0400
treefe0425a2ac97acce9b8d68b051edad388813dc59
parent327eaf738ff97d19491362e30497954105d60414 [diff] [blame]
ext4: add corruption check in ext4_xattr_set_entry()

In theory this should have been caught earlier when the xattr list was
verified, but in case it got missed, it's simple enough to add check
to make sure we don't overrun the xattr buffer.

This addresses CVE-2018-10879.

https://bugzilla.kernel.org/show_bug.cgi?id=200001

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Cc: stable@kernel.org

diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index fc4ced5..230ba79 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c

@@ -1560,7 +1560,7 @@
 				handle_t *handle, struct inode *inode,
 				bool is_block)
 {
-	struct ext4_xattr_entry *last;
+	struct ext4_xattr_entry *last, *next;
 	struct ext4_xattr_entry *here = s->here;
 	size_t min_offs = s->end - s->base, name_len = strlen(i->name);
 	int in_inode = i->in_inode;
@@ -1595,7 +1595,13 @@
 
 	/* Compute min_offs and last. */
 	last = s->first;
-	for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) {
+	for (; !IS_LAST_ENTRY(last); last = next) {
+		next = EXT4_XATTR_NEXT(last);
+		if ((void *)next >= s->end) {
+			EXT4_ERROR_INODE(inode, "corrupted xattr entries");
+			ret = -EFSCORRUPTED;
+			goto out;
+		}
 		if (!last->e_value_inum && last->e_value_size) {
 			size_t offs = le16_to_cpu(last->e_value_offs);
 			if (offs < min_offs)